Protection of Personal Information Act

Thales eSecurity’s Vormetric Data Security Platform provides tools you need to help comply with the POPI Act, and prevent data breaches. Should a breach occur, you may be able to avoid the public breach notification if affected data has been encrypted with the Vormetric Platform.

South Africa’s POPI Act, which became law on 11th April, 2014, requires organisations to adequately protect sensitive data or face large fines, civil law suits or even prison. The Act extends certain rights to data subjects that give them control over how their personal information can be collected, processed, stored and shared.

Penalties

According to Chapter 11 (Offences, Penalties and Administrative Fines) of the POPI Act:

107. Any person convicted of an offence in terms of this Act, is liable, in the case of a contravention of–

(a) section 100, 103(1), 104(2), 105(1), 106(1), (3) or (4) to a fine or to imprisonment for period not exceeding 10 years, or to both a fine and such imprisonment; or

(b) section 59, 101, 102, 103(2) or 104(1), to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.

According to Chapter 11, “a Magistrate’s Court has jurisdiction to impose any penalty provided for in section 107.”

Compliance Summary

Condition 7 of the POPI Act outlines the criteria for securing personal information. Thales eSecurity helps organisations address two of the key aspects of Condition 7:

Item 19 of Condition 7 states that an organisation must secure the integrity and confidentiality of personal information against loss, damage, unauthorised destruction and prevent unlawful access. Item 19 also requires organisations to assess the potential risks to personal information and establish safeguards against such risks. These safeguards must be regularly assessed, maintained, updated and audited to ensure a company’s compliance.

Item 22 outlines the action that organisations must take if “the personal information of a data subject has been accessed or acquired by any unauthorised person.” The responsible party must notify the Regulator and the data subject whose data has been breached “as soon as reasonably possible after the discovery of the comprise.” The Regulator has the right to force the organisation concerned to publish details of the data breach with the only exception being the security of either the nation or the individuals.

Vormetric Transparent Encryption provides data-centric protection that ensures that, if data is stolen, it is unintelligible to those who steal it. Therefore, organisations can avoid the breach notification requirement in Item 22 because data subjects’ personal information will not have been compromised.

Moreover, Thales e-Security help you prevent breaches from happening in the first place through:

Access control to ensure only credentialed users can retrieve the data

Separation of privileged access users and sensitive user data. With the Vormetric Data Security Platform, administrators can create a strong separation of duties between privileged administrators and data owners. Vormetric Transparent Encryption encrypts files, while leaving their metadata in the clear. In this way, IT administrators—including hypervisor, cloud, storage, and server administrators—can perform their system administration tasks, without being able to gain privileged access to the sensitive data residing on the systems they manage.

Separation of administrative duties. Strong separation-of-duties policies can be enforced to ensure one administrator does not have complete control over data security activities, encryption keys, or administration. In addition, the Vormetric Data Security Manager supports two-factor authentication for administrative access.

Granular privileged access controls. Vormetric’s solution can enforce very granular, least-privileged-user access management policies, enabling protection of data from misuse by privileged users and APT attacks. Granular privileged-user-access management policies can be applied by user, process, file type, time of day, and other parameters. Enforcement options can control not only permission to access clear-text data, but what file-system commands are available to a user.

Security Intelligence Logs

Thales e-Security lets the enterprise monitor and identify extraordinary data access. Vormetric Security Intelligence Logs are detailed management logs that specify which processes and users have accessed protected data. They specify when users and processes accessed data, under which policies, and if access requests were allowed or denied. The management logs will even expose when a privileged user submits a command like 'switch users' in order to attempt to imitate, and potentially exploit, the credentials of another user. Sharing these logs with a security information and event management (SIEM) platform helps uncover anomalous patterns in processes and user access, which can prompt further investigation.

Vormetric is our standard. Whenever an encryption solution is needed, the answer is always, ‘let’s start with Vormetric.Damian McDonaldVice President of Global Information Security, Becton, Dickinson and Company

There is absolutely no noticeable impact on the performance or usability of applications. I am very excited at how easy the solution is to deploy and it has always performed flawlessly.Christian MuusDirector of Security for Teleperformance EMEA

Implementing Vormetric has given our own clients an added level of confidence in the relationship they have with us; they know we’re serious about taking care of their data.Audley Deansenior director of Information Security,BMC Software

Vormetric’s approach of coupling access control with encryption is a very powerful combination. We use it to demonstrate to clients our commitment to preserving the security and integrity of their test cases, data and designs.David VargasInformation Security ArchitectCadence Design Systems

My concern with encryption was the overhead on user and application performance. With Vormetric, people have no idea it’s even running.Karl MudraCIODelta Dental of Missouri

The Vormetric solution not only solved all of our encryption needs but alleviated any fears of the complexity and overhead of managing the environment once it was in place.Joseph Johnson,chief information security officer CHS

As a global payment solutions and commerce enablement leader, Verifone’s strategy is to develop and deploy “best in class” payment solutions and services that meet or exceed global security standards and help our clients securely accept electronic payments across all channels of commerce. We… Joe Majka,Chief Security Officer

Thales provided the expertise needed to design and implement a tailored, secure VoIP solutionThe Thales team helped us to develop and implement a process that protects our customers’ calls and our company from counterfeiting.Marek Dutkiewicz,Director of Product Management